Practical Considerations for Overfilling Scenario Application
Post on 14-Jan-2022
5 Views
Preview:
Transcript
22nd Annual International Symposium October 22-24, 2019 | College Station, Texas
Practical Considerations for Overfilling Scenario Application
Houston Haile, Robert (Bob) Siml*
Siemens Energy, Inc.
4615 Southwest Freeway, Suite 900,
Houston TX 77027
*Presenter E-Mail: Robert.Siml@Siemens.com
Abstract
As a result of the BP Texas City explosion, industry recognized overfilling as one of the most
important overpressure scenarios to be considered. Atmospheric release of flammable liquids
above their flash point is no longer an accepted industry practice. Additionally, overfilling with
combustible liquids often leads to mist formation, which may be easily ignited. Overfilling
applicability is a critical factor in deciding whether to tie-in a relief system to a closed disposal
system; for example, large liquid loads, especially those which are flashing, can affect knockout
drum and flare capacity, radiation, etc.
This paper addresses practical considerations in determining if overfilling leads to overpressure.
Subtle but important practical factors determine overfilling applicability, and the analysis requires
an in-depth understanding of the process, instrumentation, and procedures. How the feed pressure
reacts during overfilling must be carefully reviewed. Deciding if overfilling applies typically
involves determining if an independent high-level alarm (IHLA) is present and whether there is
adequate time for operator intervention. In some facilities, pressure transmitters are ranged to span
the entire equipment height, giving additional redundancy in level alarms. As a result, an informal
Layer of Protection type Analysis (LOPA) may eliminate overfilling as a source of overpressure,
by serving to limit the maximum upstream feed pressure or serving as an IHLA. In some cases,
the equipment will simply overflow to high capacity systems, such as a header system, such that
no overpressure will occur. In other cases, the flow may have to fill multiple vessels; therefore,
overpressure by overfilling is not credible based on multiple level alarms. These factors are each
described and careful consideration can guide the overfilling applicability determination.
Keywords: Safety, Pressure Relief Analysis, Overfilling, Vapor Cloud Explosion
1. Introduction
In 2005 the BP Texas City refinery overfilled the raffinate splitter in the Isomerization unit
during startup[1]. The relief valves discharged into a “blowdown drum with an atmospheric
stack.” The intent of the system was to allow vapor flashing off liquids to be vented at an
elevated discharge location for dispersion and collect the remaining liquid. The use of a
blowdown drum with an atmospheric stack was recognized as an antiquated practice but
had not been routed to a flare system. The atmospheric blowdown drum was subsequently
overfilled with liquid above the flash point.
The liquid above the flash point resulted in evaporation which increased due to droplet
formation from liquid falling on equipment. The resulting vapor cloud was likely ignited
by an idling truck resulting in the 15 fatalities and 180 injuries.
Two of the Chemical Safety Board (CSB) findings[2] can be summarized as:
− Potential for overfilling must be considered.
− Atmospheric release of liquids above the flash point is not accepted practice.
2. Applicable Codes and Standards
The applicable standard for evaluating overfilling for pressure vessels is API Std 521.
As a result of the 2005 Isom Explosion, API issued the API 521 5th ed 2008 Addendum[3]
which added significant guidance on overfilling in §5.23 Overfilling Process or Surge
Vessel. (The overfilling guidance was subsequently modified slightly and moved to §4.4.7
in the API 521 6th ed – 2014[4].) Key aspects are:
1) Startup and other non-normal modes of operation must be considered.
2) If the source of pressure can exceed the equipment design / relief device set pressure,
options include, but are not limited to:
Eliminate overfilling with vessel design / relief device set pressure
− Ensure there is adequate margin between the relief device set pressure and
maximum operating pressure, otherwise design the relief device and disposal
system for the liquid release.
− Consider the foundation, vessel design, and piping in overfilling.
Design the relief system for overfilling
− Ensure the relief device and disposal system can handle the liquid release.
− Consider effects of two-phase flow and potential for autorefrigeration.
− Consider the foundation, vessel design, and piping in overfilling.
Install a Safety Instrumented System (SIS)
− Safety Integrity Level (SIL) rating based on risk analysis.
− Consider availability of instrumentation for SIS activation.
3) Evaluate the risk associated with discharge location (e.g. Atmosphere, process, flare.)
4) Considerations for level instrumentation include:
− If safeguards are on different taps from process control system;
− Susceptibility of instrumentation to common mode failures;
− Tendency for level to show low or high when out of range;
− Tendency for level to show low during overfilling; (e.g. Overfill top leg of dP
cell.)
− Impact of composition or temperature on density for dP cells;
− Whether instrumentation is proven for the specific application;
− Whether any instrumentation can span an extended range;
− Whether instrumentation is suitable for non-normal operation.
− Maintenance and testing frequency;
3. Other Industry Accepted Methods
It is common industry practice to exclude overfilling based on an independent high level
plus adequate operator response time. Although it is easy to interpret this as a simplistic
guideline that does consider the potential failure of operator intervention, the minimum
acceptance criteria in context with API Std 521[5] is:
To exclude overfilling based on an independent level alarm and operator intervention
− Ensure an independent level alarm plus 10 – 30 minutes operator response time.
− Consider the availability and independence of instrumentation.
− Ensure training and procedures include expected behavior of instrumentation.
− Ensure operators agreement that procedures can be safely relied upon.
− Evaluate the risk associated with failure of operator intervention. Potential effects
are included in Table 1:
Table 1: Potential Effects Associated with Discharge Location
Discharge Location Potential Effects
Process Other process relief
Flare Backpressure, knockout drums, radiation
Atmosphere Toxic or flammable release
The time for operator response must be determined by the owner operator based on the
complexity of the operation and the time for the operator to diagnose / mitigate the problem.
Factors should include the potential for “operator overload” due to multiple alarms in
complex situations. Training must include written procedures and corrective actions.
Evaluating the risk associated with the failure of operator intervention is based on the
operating company’s risk evaluation and acceptance criteria. The range of criteria include:
1) Evaluating the risk / potential overpressure when routed to a closed system.
2) Determining the layers of protection required for routing to atmosphere.
4. Summary of Commonly Accepted Overfilling Protection Practices
All of process design is ultimately geared toward the most cost-effective process design
and most cost-effective risk reduction. In some cases, the risk is quite low and can be
easily managed. In other cases, the risk-based engineering analysis is quite complex.
The order of preference of dealing with overfilling, given in Table 2, is generally:
Table 2: Order of Preference in Dealing with Overfilling
Mitigation Preference
Eliminate overfilling with vessel design / relief device set pressure Highest
Exclude overfilling based on company’s risk acceptance criteria
Design the relief system and disposal for overfilling
Install a safety instrumented system (SIS) Lowest
For new and existing facilities, the preference is to eliminate overfilling with the equipment
design, if economically feasible.
If it is not economically feasible to eliminate overfilling by design, then the focus shifts to
determining if the relief and disposal system is adequate for overfilling or if overfilling can
be excluded with additional safeguards to meet the company’s risk acceptance criteria.
It can be successively argued that overfilling is not applicable because of the nature of the
system or the risk has been sufficiently reduced to meet the company’s risk criteria in a
variety of cases, including:
− Closed loop systems during charging and normal operation.
− Cases where overfilling (overflowing) will not cause overpressure.
− Cases where overfilling is so disruptive that it must be corrected to operate.
− Cases where overfilling cannot occur based on a thorough understanding of the pump
calculations.
− Cases involving design changes to eliminate overfilling. (Inherently Safer)
− Cases where overfilling can be excluded by a PHA or LOPA.
− Cases where additional layers of protection have been added to exclude overfilling.
5. Closed loop systems
Closed loop systems are intended to operate with a fixed inventory circulating in a loop.
Although seeming simple systems, extensive work is involved in designing a closed loop
system. Besides designing for normal operation, the designer must also calculate the
required charge and decide if the inventory will be stored in one vessel or if the bulk of the
inventory will reside in the loop during maintenance.
During charging, overfilling / overpressure is generally not expected to apply if well-
established procedures are followed.
During normal operation, overfilling / overpressure is also not expected. However, a
systematic evaluation is required to ensure that upsets such as inadvertent closure of a block
valve will not result in overpressure. Furthermore, if the intent of the design is to store the
entire charge in one vessel, the inventory of the system versus vessel volume should be
verified.
Examples of closed loop systems where overfilling is expected to be designed out of the
system during startup / normal operation is given in Table 3:
Table 3: Closed Loop Systems – Overfilling Designed Out
Hot Oil System Equipped with an expansion tank designed with “fill to cold” and
“operating hot” levels. Overfilling due to thermal expansion is
designed out.
Refrigeration A refrigeration system is designed for a fixed inventory and
charging is well-defined. Overcharging is designed out.
Amine Systems The inventory of an amine absorbent system is well designed.
Overfilling due to overcharging amine is typically not considered.
Consideration must be given to abnormal flow into the system causing overfilling.
Possibilities include:
− Tube leak / broken tube scenarios
− Control valve failure cases
Examples of a control valve failure scenario that can cause overfilling is liquid hydrocarbon
breakthrough to an amine treating or sour water
6. Overfilling (Overflowing) Will Not Cause Overpressure
In some cases, equipment is open to utility headers or downstream equipment; therefore
“overfilling” (overflowing) will not cause overpressure.
Example 1: Normally Open Path to Downstream Header
A boiler is typically open to the downstream steam header. A simplified boiler is shown
in Figure 1.
Figure 1: Simplified Boiler
ASME Section I[6] prescribes the relief system design requirements as the design steaming
rate of the boiler. The underpinnings are that for BFW feed control valve fail open or
inadvertent opening of the bypass, the boiler is open to the header.
Similarly, for process steam generator built according to ASME Section VIII[7] and the
potential overpressure evaluated by API Std 521[8], the BFW feed control valve failing
open (or inadvertent opening of the bypass) and the outlet being blocked at the same time
is typically considered “double jeopardy.”
A brief pressure relief analysis of a boiler in given in Table 4.
Table 4: Typical Boiler Pressure Relief Analysis
Scenario Relief System Design Basis?
Blocked Outlet (Steam) Yes Normal steam flow
Blocked Outlet (C-BD) No Slightly wet steam to header
Blocked Outlet (I-BD) No NC - Intermittent use
Control Valve / Bypass No Overflow to the header
Different companies have different policies on how to treat overfilling in these situations:
− Assume the path to the header is adequate.
− Perform hydraulics to ensure the path to the header is adequate.
− Design the relief system capacity for overfilling.
(Discharge of relief system must be routed to a safe location.)
When credit is taken for flow to the header, a hydraulic analysis should be considered to
ensure the path is adequate without exceeding allowable accumulation. In addition, the
steam line should be supported for liquid / two-phase flow.
A common position is that the boiler feedwater will flow to the steam header and the relief
valves on the boiler will not lift. The steam header is typically quite large compared to the
capacity of an individual BFW control valve failing open. A good case can be made that
the “overfilling” (overflowing) of the boiler will be detected via the effects on the operation
of the steam system (i.e. loss of heat transfer in the process, rotating equipment stops
working, etc.) long before overpressure occurs.
Damage can occur due to steam hammer and liquid flowing into turbines. However, the
damage cannot be prevented with a relief valve. Minimizing equipment damage is
typically considered part of Loss Prevention.
Example 2: Vaporizer Normally Open to Downstream Header
Another common example of a piece of equipment that is open to a downstream equipment
or distribution header is a process vaporizer. A common vaporizer is shown in Figure 2.
Figure 2: Process Vaporizer
The minimum relief system design basis for a vaporizer that is normally open to the header
is the vapor generation rate for blocked outlet.
The process feed control valve failing open, inadvertent opening of the bypass, loss of heat
input, or a broken tube are overfilling concerns, but the vapor valve being blocked-in at the
same time is typically considered double jeopardy.
When credit is taken for flow to the downstream equipment, a hydraulic analysis should be
considered to ensure the path is adequate without exceeding allowable accumulation. In
addition, the vapor line should be supported for liquid / two-phase flow.
Whether the downstream system can absorb the additional flow must also be considered.
If the downstream system cannot absorb the additional flow, the relief system on the
vaporizer or downstream system must be designed for the additional flow.
7. Overfilling is So Disruptive that it Must be Corrected to Operate
In some cases, the owner operator may decide that the onset of overfilling is so disruptive
that the process cannot continue to operate and must be shutdown.
Example 3: Overfilling is not Possible Based on System Behavior
An example of a system where it might be argued that overfilling is not credible because it
is so disruptive to the process is a Fluidized Catalytic Cracker (FCC) – Main Fractionator.
A significant part of the driving force of the process is the air blower to the regenerator. If
the main fractionator were to try to overfill the blowers must support the entire column of
liquid which also has the effect of backing out the air blowers which is a major upset to the
process. A simplified FCC – Main Fractionator is shown in Figure 3.
Figure 3: FCC Main Fractionator
Discussions with engineering and operations on potential for overfilling of a Fluidized
Catalytic Cracker – Main Fractionator can be summarized as:
“The effects of the Main Fractionator starting to overfill are so obvious that the
unit cannot keep running. We must shutdown and restart.”
This reflects a complex understanding of the operation including high levels in multiple
vessels, higher pressure drop through the process causing the air blower to back out, etc.
The decision that overfilling can be excluded on the basis that the effect on the process is
so obvious that the process cannot continue to operate must be made by a qualified
individual (e.g. superintendent) or preferably a group knowledgeable in the operation of
the unit and documented accordingly.
8. Overfilling Cannot Occur with Thorough Understanding of Calculations
Most overfilling cases involve pumps. A key aspect of evaluating overfilling is
understanding how the upstream pressure reacts when the pump is effectively deadheaded
into a downstream system.
Example 4: Pumps with a Well-Defined Maximum Upstream
Some pumps will have a very well-defined maximum upstream pressure. An example is a
rail car, tank car, or transfer operation. See Figure 4.
Figure 4: Loading Operation with Well-Defined Upstream Pressure
𝑃𝑢𝑚𝑝 𝐷𝑖𝑠𝑐ℎ𝑎𝑟𝑔𝑒 𝑃𝑀𝑎𝑥 = 𝑃𝑁𝑜𝑟𝑚𝑎𝑙 + 𝜌
144(
𝑔
𝑔𝑐) (𝐻𝐷𝑒𝑎𝑑ℎ𝑒𝑎𝑑 + 𝐻𝑆𝑡𝑎𝑡𝑖𝑐)
Observations
− It is unusual to feed into and pump out of storage vessels at the same time for
inventory control purposes. (e.g. Low-pressure tanks, bullets, spheres.)
− Inadvertently blocking the flow to the rail car loading operation will not result in
overfilling of the bullets. (Overfilling may apply for other modes of operation.)
− Railcars and tank cars are equipped with relief devices.
− The maximum discharge pressure of the loading pumps is based on the highest
normal operating pressure of the bullets. (In cold climates, the bullets may be
padded with natural gas in the wintertime.)
It is expected that rail car and tank car loading operations are “inherently safer” designs
such that the maximum pump discharge pressure cannot exceed the pressure rating of the
rail car or tank car but must be verified with a thorough understanding of the loading
operation.
Example 5: Pumps Associated with Vessels with Open Vents
Calculating the maximum pump pressure associated with a vessel with an open vent can
be deceptive. In the case of a basic API 650 tank, the maximum static head is well defined.
Occasionally, a pressure vessel will be equipped with an open vent. The observer might
be tempted to assume the vessel is at “atmospheric pressure.” However, there is a
maximum feed pressure/sizing basis for the open vent which must be taken into
consideration. See Figure 5.
Figure 5: Maximum Upstream Pressure with an Open Vent
𝑃𝑢𝑚𝑝 𝐷𝑖𝑠𝑐ℎ𝑎𝑟𝑔𝑒 𝑃𝑀𝑎𝑥 = 𝑃𝑅𝑒𝑙𝑖𝑒𝑓 + 𝜌
144(
𝑔
𝑔𝑐) (𝐻𝐷𝑒𝑎𝑑ℎ𝑒𝑎𝑑 + 𝐻𝑆𝑡𝑎𝑡𝑖𝑐)
Observations
− Feed drum will overfill.
− The potential for overpressuring the process depends on the pressure used for
sizing open vent.
In this case, inadvertently blocking the outlet of the process will back the pump up the
curve. The feed drum will overfill. The potential for overpressuring the process can
depend on the sizing basis of the open vent.
It is possible to have a case where the downstream vessel relieves moving the pump back
out on the curve / lowering the suction pressure such that the system will oscillate between
relieving upstream and downstream. The preference is to size the open vent (and choice
of the pump) so the wash water drum will relieve water instead of the process relieving for
an “inherently safer” design.
Example 6: Complex Overfilling Considerations
Overfilling of a column system entails filling the entire column system. This example
assumes the initiating event is the bottoms control valve failing open. See Figure 6.
Figure 6: Overfilling of a Distillation Column
Assumptions that should always be checked in determining the maximum discharge
pressure of the pump include considering relief valve location / sizing basis and how the
feed pressure / flow will react when the column pressures up. See Figure 7.
Figure 7: Factors Involved in Bottoms Pump Discharge Pressure
Factors include:
Feed
− How does the feed flow rate change?
− How does the feed pressure change?
Static head Considerations
− Is the column relief device located on the overhead line near the top of the column
or close to the condensers?
Maximum Relieving Pressure
− Is the relief device set at limiting MAWP or lowered to account for static head?
− If relief device is located below the top of the column, did sizing include the
additional pressure from static head for overfilling? (Rare)
− Will overfilling result in a loss of cooling plus continued heat input?
Ultimately
− Can a lower relieving pressure be justified?
If the relief system is oversized:
− Can one device be used instead of multiple devices?
(10% versus 16% accumulation)
− Is the device a pilot?
(Full open at set pressure = Calculated accumulation versus 10%
accumulation.)
A seemingly “basic” overfilling concern can involve significant complexity in determining
how the upstream pressure will react, static head, and set pressure considerations. Consider
multiple columns in series. See Figure 8.
Figure 8: Multiple Columns in Series:
Observations
− Credit can potentially be taken for forward flow for both sets of overheads pumps.
− The first system could potentially relieve before the downstream column relieves.
− The static head included on the bottoms pump for the first column is partially offset
based on the static head to the relief device on the second column.
− Elevation of the equipment and static head effects are not included in this example.
Conclusions
1) A seeming basic overfilling scenario can be quite complex.
2) If the relief device and disposal system are inadequate based on easy assumptions,
the pump discharge flowrate and pressure can potentially be significantly refined.
9. Changing the Design to Eliminate Overfilling (Inherently Safer)
If a relief valve discharges to atmosphere or the relief device / disposal system are
inadequate for overfilling, a valid approach is permanently changing the operating
envelope to eliminate overfilling:
Example 7: Excluding Overfilling of a Low-Pressure Separator
A common design criterion in the design of a hydrotreater is to ensure the high-pressure
separator cannot overfill the low-pressure separator when the high-pressure letdown valve
fails open or the bypass is inadvertently opened. If the low-pressure separator is full of
liquid and high-pressure gas enters the system, liquid will be displaced at the vapor
volumetric expansion rate. This is known as “liquid displacement” or “bottom venting.”
The required relief area for displacing liquid at the vapor volumetric rate can easily be 10
times higher than expected for the vapor by itself even if credit is taken for continued
outflow through the vapor and liquid control valves from the low pressure separator in their
normal position with no credit for positive response by the control system. See Figure 9.
Figure 9: Control Valve Fails Open Resulting in Liquid Displacement.
Besides simply preventing the low-pressure separator from becoming liquid full, the
preference is to limit the maximum level to ensure the relief system is adequate based on
2-phase disengagement models and a check for liquid re-entrainment.
In one case, the high-pressure separator was replaced with a larger vessel, but the low-
pressure separator was not. The relief system was significantly undersized for liquid
displacement.
This case involved extensive discussions with operations with two objectives:
1) Avoid potential liquid displacement and otherwise limit the maximum level in the
low-pressure separator to ensure the relief system is adequate when 2-phase
disengagement and the potential for liquid re-entrainment is taken into consideration.
2) Minimize the potential to inadvertently lose level in the high-pressure separator
causing vapor displacement (also known as “gas blowby”) even through the relief
system was adequate.
The agreed upon changes were additional independent instrumentation to include both
high, high-high, low, and low-low level alarms. Although the changes can be viewed as a
layer of protection analysis, the better understanding is a permanent shift in the operating
envelope to eliminate potential overfilling for the low-pressure separator. See Figure 10.
Figure 10: Change Operating Envelope to Exclude Overfilling / Liquid Displacement
Other cases that were considered separately:
− Gas blow-by (vapor based on disengagement models)
− Blocked outlet (two-phase)
10. Overfilling Excluded with a PHA or LOPA
A Process Hazard Analysis (PHA) is a team of qualified individuals from engineering and
operations. Based on an in-depth review of the system, a PHA team may include or exclude
overfilling as a relief system design scenario based on the collective knowledge of the team.
Example 8: Excluding Overfilling of a Hydrotreater by a PHA
Hydrotreating and hydrocracking are two similar but separate processes under the broad
category of hydroprocessing.
Hydrotreating removes impurities such as sulfur (to hydrogen sulfide H2S) and nitrogen
(to ammonia). In addition, some cracking generating to methane occurs. In the process,
olefins are saturated which raises the octane rating of gasoline and cetane rating of
diesel.
Hydrocracking breaks larger molecules into smaller ones.
There are several configurations but both processes involve reacting the material at high
pressure and temperature with hydrogen in the presence of a catalyst. A basic hydrotreater
design is shown in Figure 11.
Figure 11: Basic Hydrotreater
The reaction is sometimes liquid phase and sometimes supercritical depending on the
design. The combined feed to the fired heater and flow after the cross exchanger is 2-
phase.
Assuming the charge pump is capable of overpressuring the system, the relief system is
often designed for overfilling for blocked product outlet from the separator. How to handle
the hydrogen is a discussion issue.
Recycle Hydrogen
Some companies include the recycle hydrogen. Other companies consider the recycle
compressor as stopping; therefore, the recycle hydrogen stops.
Make-Up Hydrogen
The make-up hydrogen is largely consumed but some H2S, ammonia, and methane is
generated. Since the process is no longer operating normally, the most common design
basis is to include the make-up hydrogen with the product flow as if no hydrogen is
consumed.
Even a basic hydrotreater is a still a large complex process. If the relief or disposal system
is inadequate, a valid question is:
“Is overfilling a relief system design scenario based on levels in multiple pieces
of equipment, the behavior of the process, etc.?”
The results from a PHA team from engineering and operations on potential overfilling of
this hydrotreater can be summarized as:
“Overfilling / overpressure of the hydrotreater will not occur because of
multiple level indications, the behavior of the equipment, and calls from
downstream unit losing feed.”
This reflects an understanding of the complex behavior of the unit and the layers of
protection to prevent overfilling.
Example 9: Excluding Overfilling Light Ends Unit by a PHA
One type of Vapor Recovery Unit after the Fluidized Catalytic Cracker involves absorbing
the cracked gases as shown in Figure 12.
Figure 12: FCC Absorption Vapor Recovery Unit
Overfilling of this system due to blocked liquid outlet of the separator would require
overfilling four vessels, with the associated high-level indications from each vessel and the
associated process upsets. The pressure in the equipment would only build due to static
head and some additional pressure drop until the liquid finally reaches the control valve to
the fuel gas system. Once the liquid finally reaches the control valve to the fuel gas system,
the pressure would spike, and overfilling / overpressure would occur.
Blocked liquid outlet of any of the other liquid paths requires overfilling of at least three
vessels with the associated high-level indications. (The vapor control valves are much
larger than the liquid control valves. The separator and its level instrumentation would
typically also be involved.)
A PHA team consisting of engineering and operations personnel decided that the risk of
overfilling was sufficiently low that overfilling was not a relief system design scenario for
overpressure protection.
11. Adding Layers of Protection to Exclude Overfilling
In the event the PHA includes overfilling as a relief system design scenario, an option is a
Layer of Protection Analysis (LOPA). A LOPA also consists of qualified team to
quantitively assess the risk, determine the number of layers of protection present, and the
number of layers required to reduce the risk to the owner operator’s risk acceptance criteria.
Layers of protection could range from adding an independent high-level alarm (IHLA) to
a Safety Instrumented System (SIS) with a Safety Integrity Level (SIL) to add a sufficient
number of layers based on the probability of failure on demand.
If no independent high-level alarm is present, adding one could provide one layer of
protection with credit for operator response. However, if a high-level alarm is already
present, then simply adding another one typically does not add another layer because the
operator is in common. For additional credit, entire layers of protection must be added.
In the case where there are multiple alarm points present, a written management system
which includes training of additional outside operators, inside operator, and/or the shift
foreman to respond to different alarm points if corrective action hasn’t been taken may
constitute additional layers of protection. Factors that would be included are evaluation of
the response times, the corrective actions to be taken, actions to be taken during loss of
communication with the primary outside operator, etc.
Example 10: Adding Layers of Protection to Exclude Overfilling
After the Isom explosion (referred to in Section 1) some companies recognized:
− An independent high-level alarm was not present or subject to common mode failure.
− The range of level transmitters were only intended for normal operation.
As a result, one of the strategies used a (LOPA) type analysis to ensure the level would
always be detectable and provide multiple indications of overfilling. See Figure 13.
Changes often included:
1) Adding differential pressure transmitter spanned for the entire height of a column to
ensure the level was always detectable if the level overfilled the high tap on the
normal dP cells used for level control instrumentation.
2) Adding high level alarms
3) Using high differential pressure alarms over beds to provide multiple indications of
potential overfilling.
4) Implementing level deviation alarms comparing level instrumentation with level
information predicted from the differential pressure instrumentation.
Figure 13: LOPA Implementation to Reduce Risk of Overfilling
12. Conclusions
1) Overfilling typically does not apply to Closed Loop Systems.
(A systematic analysis is still required.)
2) Overfilling to a utility system will typically not result in overpressure.
3) Overfilling to other process equipment may not result in overpressure.
(The ability of the downstream system to absorb the flow must be checked.)
4) In some cases, the onset of overfilling is so disruptive it can be excluded as a scenario.
5) Pump discharge pressure calculations require a thorough understanding of the system.
6) A PHA or LOPA may exclude overfilling as a design scenario.
7) Additional layers of protection can be added to excluding overfilling as a scenario.
8) The preference is to design out overfilling with equipment design. In some cases it is
possible to ensure the operating envelope is so narrow that overfilling is not a scnenario.
13. References
[1] CSB: U.S Chemical Safety Board (2007) Report 2005-04-I-TX Refinery Explosion
and Fire, Available https://www.csb.gov/assets/1/20/CSBFinalReportBP.pdf p.17.
[2] Ibid, p. 21 - 23
[3] API Standard 521:2008, Pressure-relieving and Depressuring Systems, p. 65-66
[4] API Standard 521:2014, Pressure-relieving and Depressuring Systems, p. 21-22
[5] Ibid, p. 13
[6] ASME BPVC, Section I:2017, Rules for Construction of Power Boilers, p. 61
[7] ASME BPVC, Section VIII Div 1:2017, Rules for Consruction of of Pressure Vessels
[8] API Standard 521:2014, Pressure-relieving and Depressuring Systems, p. 13
top related